System and Method for Document Isolation

1. A computer-implemented method of controlling access to documents, comprising: maintaining a first list defining who may access a base document; maintaining a second list defining who may perform operations on the base document; upon receipt of a request from a user to create a workflow, accessing the first list and the second list to determine whether the user may create a workflow relating to the base document; if the first list and the second list indicate the user may create a workflow relating to the base document, creating a copy of the base document; and while the copy of the base document is in the workflow, in response to a request from a user to access the base document, providing the user access to the base document when it is determined by referencing at least the first list that the user should not be provided access to the copy of the base document, and providing the user access to the copy of the base document when it is determined by referencing at least the first list that the user should be provided access to the copy of the base document.

2. The method of claim 1 , wherein maintaining a first list defining who may access a base document comprises maintaining a list of security descriptors.

3. The method of claim 1 , wherein maintaining a second list defining who may perform operations on the base document comprises maintaining an access control list.

4. The method of claim 1 , further comprising updating the second list upon creation of the copy of the base document to identify who may perform operations on the copy of the base document.

5. The method of claim 4 , wherein updating the second list upon creation of the copy of the base document comprises assigning a unique identifier to a new operation, and associating with the unique identifier users that are authorized to perform the operation.

6. The method of claim 4 , wherein updating the second list upon creation of the copy of the base document comprises assigning a unique identifier to a new operation, and associating with the unique identifier roles that are authorized to perform the operation.

7. The method of claim 1 , wherein maintaining a first list defining who may access a base document comprises maintaining a first list defining roles that may access a base document.

8. The method of claim 1 , further comprising maintaining a third list defining who may access the copy of the base document.

9. A computer-implemented method of controlling access to documents, comprising: maintaining a list of security descriptors identifying who may access a base document; maintaining an access control list defining who may perform operations on the base document; upon receipt of a request from a user to create a workflow, accessing the list of security descriptors and the access control list to determine whether the user may create a workflow relating to the base document; if the list of security descriptors and the access control list indicate the user may create a workflow relating to the base document, creating a copy of the base document; and while the copy of the base document is in the workflow, in response to a user request to access the base document, providing the user access to the base document when it is determined by referencing at least the list of security descriptors that the user should not be provided access to the copy of the base document, and providing the user access to the copy of the base document when it is determined by referencing at least the list of security descriptors that the user should be provided access to the copy of the base document.

10. The method of claim 9 , further comprising in response to requests to perform an operation on the copy of the base document, accessing at least the access control list to determine whether to allow the operation to be performed on the copy of the base document.